[Snort-sigs] SIP scanner sig

Y M snort at ...3751...
Tue Oct 1 11:44:43 EDT 2013

Hi Alex,
Thanks for the information. However, none of the rules you mentioned did actually fire, nor production neither my test environments. That's why I thought I would write a rule for it. If you guys find out that it does fire on the existing rules, then just simply ignore mine.
Thanks again.YM

Date: Tue, 1 Oct 2013 11:38:19 -0400
Subject: Re: [Snort-sigs] SIP scanner sig
From: amcdonnell at ...435...
To: snort at ...3751...
CC: snort-sigs at lists.sourceforge.net

Hi YM.
we have rules that cover sipvicious, if those help. SIDS 27899-27904
thanksAlex McDonnellVRT

On Tue, Oct 1, 2013 at 11:17 AM, Y M <snort at ...3751...> wrote:

Caught this one live today. I can't share the pcap, sorry for that.
alert udp $EXTERNAL_NET any -> $HOME_NET $SIP_PORTS (msg:"INDICATOR-SCAN Sipvicious SIP scanner detected"; flow:to_server; sip_method:options; content:"User-Agent|3A| friendly-scanner|0D0A|"; fast_pattern:only; content:"From|3A| |22|sipvicious|22|"; metadata:ruleset community; classtype:misc-activity; sid:100051; rev:1;)

The sip_method may not be necessary to generalize the signature, any ideas? I can't download the scanner and verify at the moment.


October Webinars: Code for Performance

Free Intel webinars can help you accelerate application performance.

Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from

the latest Intel processors and coprocessors. See abstracts and register >


Snort-sigs mailing list

Snort-sigs at lists.sourceforge.net



Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131001/c7db3df0/attachment.html>

More information about the Snort-sigs mailing list